A new set of Intel Management Engine vulnerabilities confirmed

Intel Core i9 retail box

Not long after a few security research groups discovered new vulnerabilities in the Intel Management Engine remote administration subsystem, the chipmaker confirmed these issues in a new security advisory that also lists other bugs that were located in its software tools.

According to Intel, the Management Engine subsystem is needed to provide the best performance possible to the computers powered by the company's chips, its tasks running during the boot process and while the computer is running, as well as during its sleep periods. However, various security firms and experts claim that the Intel Management Engine is a serious privacy concern, some going as far as calling it a backdoor. While Intel always denied the backdoor part, the company has recently confirmed multiple vulnerabilities of the subsystem.

The Intel Management Engine apparently runs Minix 3 and, last month, security firm Positive Technologies revealed that a malicious user can gain full remote access to any computer with IME onboard as long as they can access one of the USB ports of those computers. As it usually happens in such cases, they did not completely uncover how to carry out such an attack but said enough for everyone to figure out that this is not just a minor security flaw.

Yesterday, Intel released a new security advisory that comes with the following highlights:

bugs in the Trusted Execution Engine hardware authentication tool

new vulnerabilities in the Management Engine subsystem

bugs in the Server Platform Services server management tool

In addition to the details on the security flaws discovered after the audit that Intel carried out due to the recent discoveries by third parties like Positive Technologies, the company also published a Detection Tool that Windows and Linux users can use to check if the new vulnerabilities impact their systems or not.

These new vulnerabilities can lead to security issues for more than just desktop PC users since the Intel Management Engine also runs on servers, IoT devices, and notebooks. Until now, it seems that only Lenovo managed to come up with firmware updates to take care of these problems (check this page for updates).

Although I have been writing about new software and hardware for almost a decade, I consider myself to be old school. I always enjoy listening to music on CD or tape instead of digital files and I will not even get into the touchscreen vs physical keys debate. However, I also enjoy new technology, as I now have the chance to take a look at the future every day. I joined the Notebookcheck crew back in 2013 and I have no plans to leave the ship anytime soon.